- Generate X509 Certificate Private Key Missing
- Generate X509 Certificate Private Key West
- Generate X509 Certificate Private Key Permissions
Sep 11, 2018 This OpenSSL Tutorial walks you thru How SSL Certificates, Private Keys, & CSRs Work. To generate a public and private key with a certificate signing request (CSR), run the following OpenSSL command. Openssl x509 -x509toreq -in certificate.crt -out CSR.csr -signkey privateKey.key. Nov 05, 2014 Create Your Own Self Signed X509 Certificate Kevin WiBit. It can validate the signature against the public key and feel confident that the document was 'signed' by a trusted private key. Openssl x509 -req -days 365 -in your-request.csr -signkey your-key.key -out your-public-key.crt I assume CAs do something similar to sign the certificates and therefore create a public key. However, when filling the request form you are only asked for the CSR, not the private key. In WHM the private keys are stored along with the corresponding CSRs and certificates in “SSL Storage manager”. To get there, you can click “SSL/TLS” on the home screen and then on the “SSL Storage manager”. To open the private key text, you will need to click on the magnifier button in the first column called “Key”.
Freelan relies on X509 certification for its authentication mechanism. For several hosts to connect using freelan, each and everyone of them will have to have his unique certificate.
Certificate generation is a very sensitive topic that must not be taken lightly, and I encourage you to read a lot about it and to fully understand its principles before you continue.
To generate certificates, you will need the openssl command line tool. Make sure it is in your
PATH
so that you can execute it from anywhere.A freelan host (also called 'contact') identifies himself by presenting a X509 certificate to other hosts. This certificate is public. One can give it to anyone without facing security issues.
This certificate contains a public RSA key which anyone can read and use and, amongst other things, a common name which can be anything from an email address to a hostname: this common name identifies the host and should be unique inside the virtual private network.
Associated with this certificate is a private key. As its name implies, the private key is private and MUST remain so ! I cannot stress that enough: Never give your private key to anyone ! Don't store it on your desktop. Don't send it in cleartext to your email account. Don't make a t-shirt out of it.
If you are curious about why we need those two elements, here is a short explanation:
- If someone uses the public key to cipher something, only the owner of the private key can decipher it. That is, you have the guarantee that when a message is sent, only the intended recipient can read it.
- If someone uses its private key to 'cipher' (actually, 'sign') something, anybody with the associated public key can read it. That is, you have the guarantee that when a message is received, its emitter is really who he claims to be and that the message was not altered during the transmission.
Those two principles are sufficient to ensure both authenticity and confidentiality but have a cost: you have to generate the private keys and the certificates first.
While certificates give us authenticity and confidentiality, anyone can generate a certificate containing wrong information (an incorrect 'common name' for instance) and so we have to check every certificate we were given, and to ensure that they really were emitted by the people or the organization they refer to. Those verifications are really time consuming.
Luckily enough, X509 contains a mechanism to ease this which is called certificate signing.
Any X509 certificate can be signed by another certificate called a parent certificate. This signature is generated with the private key associated with the parent certificate and guarantees that the signed certificate was verified by the people that own the parent certificate (also called a certificate authority).
That is, with this mechanism, one doesn't have to trust directly every possible certificate, but only the parent certificates. It is worth saying that this makes the parent private keys even more sensitive !
Note: The parent certificate can also be signed by an even higher parent certificate. This is often referred to as a certificate chain.
Good ? Let's create certificates !
Here are the steps to create a simple certificate authority.
Get the certificate authority sample folder archive and extract it where you like.
Go inside the extracted folder and type:
When prompted for a passphrase, type what you want, but remember it ! You will have to type it whenever the certificate authority private key file will be needed.
You should now have a certificate file at
crt/ca.crt
and its associated private key file at key/ca.key
.Now that you have a working certificate authority, it is time to generate client certificates. Repeat the following step for every certificate/private key pair you need.
Private key generation
The first step is to generate a private key:
If you wish to protect your private key with a passphrase, use the following command line instead:
Note: Using a passphrase will increase the security of your private key. Even if it gets stolen, the password will be required to use the private key. However, setting a passphrase on the private key can prevent its use in automated systems.
This will generate a file named
alice.key
. This is the client private key.Note: every host should generate its own private key to keep it secret. The certificate authority does not need the client private key to sign the client certificate.
Issuing a certificate request
Now that a client has a private key, it must generate a certificate request out of it. This certificate request will be 'send' to the certificate authority which can then chose to accept it and generate a signed certificate from it.
To generate a certificate request, type the following command:
Fill all the certificate request attributes.
This will generate a file named
alice.csr
. This is the client certificate request.Note: Those two steps (private key and certificate request generation) do NOT need to be done in the certificate authority folder. Actually, they should even be done on the final host directly for privacy's sake.
Generating a signed certificate from a certificate request
The final step is to generated a signed certificate from the certificate request. This is obviously done on the CA.
Type the following command:
This will prompt for the
ca.key
passphrase then ask you whether you want to accept the certificate request.This will generate a
alice.crt
file: the client signed certificate which can be send to anyone.Repeat these steps for every client, and you will be ready to use freelan ! Congratulations !
5.3.2 Creating SSL Certificates and Keys Using openssl
This section describes how to use the openssl command to set up SSL certificate and key files for use by MySQL servers and clients. The first example shows a simplified procedure such as you might use from the command line. The second shows a script that contains more detail. The first two examples are intended for use on Unix and both use the openssl command that is part of OpenSSL. The third example describes how to set up SSL files on Windows.
There are easier alternatives to generating the files required for SSL than the procedure described here: Let the server autogenerate them or use the mysql_ssl_rsa_setup program. See Section 5.3.1, “Creating SSL and RSA Certificates and Keys using MySQL”.
Whatever method you use to generate the certificate and key files, the Common Name value used for the server and client certificates/keys must each differ from the Common Name value used for the CA certificate. Otherwise, the certificate and key files will not work for servers compiled using OpenSSL. A typical error in this case is:
Example 1: Creating SSL Files from the Command Line on Unix
The following example shows a set of commands to create MySQL server and client certificate and key files. You will need to respond to several prompts by the openssl commands. To generate test files, you can press Enter to all prompts. To generate files for production use, you should provide nonempty responses.
After generating the certificates, verify them:
You should see a response like this:
To see the contents of a certificate (for example, to check the range of dates over which a certificate is valid), invoke openssl like this:
Now you have a set of files that can be used as follows:
ca.pem
: Use this to set thessl_ca
system variable on the server side and the--ssl-ca
option on the client side. (The CA certificate, if used, must be the same on both sides.)server-cert.pem
,server-key.pem
: Use these to set thessl_cert
andssl_key
system variables on the server side.client-cert.pem
,client-key.pem
: Use these as the arguments to the--ssl-cert
and--ssl-key
options on the client side.
For additional usage instructions, see Section 5.1, “Configuring MySQL to Use Encrypted Connections”.
Example 2: Creating SSL Files Using a Script on Unix
Here is an example script that shows how to set up SSL certificate and key files for MySQL. After executing the script, use the files for SSL connections as described in Section 5.1, “Configuring MySQL to Use Encrypted Connections”.
Download OpenSSL for Windows if it is not installed on your system. An overview of available packages can be seen here:
Choose the Win32 OpenSSL Light or Win64 OpenSSL Light package, depending on your architecture (32-bit or 64-bit). The default installation location will be
C:OpenSSL-Win32
or C:OpenSSL-Win64
, depending on which package you downloaded. The following instructions assume a default location of C:OpenSSL-Win32
. Modify this as necessary if you are using the 64-bit package. Generate X509 Certificate Private Key Missing
If a message occurs during setup indicating
'...critical component is missing: Microsoft Visual C++ 2008 Redistributables'
, cancel the setup and download one of the following packages as well, again depending on your architecture (32-bit or 64-bit):- Visual C++ 2008 Redistributables (x86), available at:
- Visual C++ 2008 Redistributables (x64), available at:
Generate X509 Certificate Private Key West
After installing the additional package, restart the OpenSSL setup procedure.
During installation, leave the default
C:OpenSSL-Win32
as the install path, and also leave the default option 'Copy OpenSSL DLL files to the Windows system directory'
selected. When the installation has finished, add
C:OpenSSL-Win32bin
to the Windows System Path variable of your server (depending on your version of Windows, the following path-setting instructions might differ slightly):- On the Windows desktop, right-click the My Computer icon, and select Properties.
- Select the Advanced tab from the System Properties menu that appears, and click the button.
- Under System Variables, select Path, then click the button. The Edit System Variable dialogue should appear.
- Add
';C:OpenSSL-Win32bin'
to the end (notice the semicolon). - Press OK 3 times.
- Check that OpenSSL was correctly integrated into the Path variable by opening a new command console (Start>Run>cmd.exe) and verifying that OpenSSL is available:
After OpenSSL has been installed, use instructions similar to those from Example 1 (shown earlier in this section), with the following changes:
- Change the following Unix commands:On Windows, use these commands instead:
- When a
'
character is shown at the end of a command line, this'
character must be removed and the command lines entered all on a single line.
Generate X509 Certificate Private Key Permissions
After generating the certificate and key files, to use them for SSL connections, see Section 5.1, “Configuring MySQL to Use Encrypted Connections”.